UAC/VS/W2K8: Why does VS not launch with admin privleges when I am in the Administrators group?

Question

Server 2008 machine with SP1, Visual Studio 2008 with SP1. My user; Developer, is in the local Administrators group. That said, some actions I perform in Visual Studio (use the properties window of a web application to invoke the creation of a virtual directory in local IIS) tell me that Admin privileges are required. It is an annoyance more than anything, I can just launch VS with right click (Run As Administrator) to perform the action - but I was curious if anyone knows why this happens?

Answer 1

Because that's how it works, I guess... It doesn't matter the group your user is in, what matters is if the application is running with admin privileges or not. If it is, than you will be able to perform admin actions, otherwise you won't.

All applications that use UAC to perform admin actions (when you see the security badge) they will either a) restart the application with admin privileges or b) launch a process with admin privileges to perform the respective action. They will never be able to grant you admin privileges without launching a process with them.

That's just the way it works really. As far as I know, this is how it works...

Answer 2

Nazgulled: Your first statement would indicate that processes launch in a security context other than that which they inherit from the current user. My curiousity stems from this basic understanding that a process runs with my token. If my user is in the admin group would it not then be running with admin privleges? Maybe my basic understanding of this is wrong - possible that user rights/security and process security context is not as tightly related as I understood them to be...

Answer 3

That's not how it works on Vista with UAC. Your user being in the admin group will mean that that user can perform admin tasks. Let's say you have a normal user and that user is logged on and tries to perform an admin task. That user won't be able to perform such task cause it's not on the admin group. He will need to provide the username/password of an admin to perform such task. But if your user is an admin, you'll be granted access to perform the task.

What you are saying is basically how Windows XP works and we all know how that turned out with all the security problems. On XP you are an administrator with admin rights, you can do whatever you want in the system. That's not very secure. In Vista, you are in the admin group but that doesn't mean every task should/will be run with admin privileges. You are an administrator, you can change whatever you want in the system but by default, things will run with the less admin rights possible to prevent any security problems. You want admin rights, run the application with admin privileges.

It's just how it works and how it's supposed to work.

That's how I see it anyways :)